How long does it take to… Enable vSAN Encryption?

With the addition of Data at Rest Encryption to vSAN in 6.6, I get this question… A LOT.

Typical questions
The typical question is something like this: “Hey Jase, how long will it take me to enable vSAN Encryption on my vSAN cluster?” Sometimes I’ll also get a “And I have 6 nodes with X much capacity, Y cache devices, and I’m using Z storage policy.”

Asking this question is like asking “Hey Jase, how long will it take for my Jeep to make it through the Poison Spider Mesa Trail in Moab, UT? Oh, and I have a Jeep Wrangler with 35″ tires.”

Both questions are somewhat headed in the right direction, but unfortunately lack a good bit of detail necessary to determine the amount of time required to accomplish the task.

Me on the Poison Spider Mesa Trail V-Notch

Conquering the Poison Spider Mesa Trail
For starters, the Poison Spider Mesa Trail (PSMT) has a trail rating of 6 according to the Cruise Moab site. This means that we’ll need a few things to successfully negotiate the PSMT. Any vehicle attempting this trail would likely need a Rear Locking (Rear Lockers) or A-Trac/LSD (limited slip) differential, 33″ tires, and be an off-roader with at least an intermediate level of experience. That’s pretty vague, but a general set of guidelines.

But how long will it take to complete the trail? Good question. There are a lot of factors that can go into determining the length of time you’ll need to complete this trail.

Back to the “How long will it take for my Jeep to make it through the PSMT?” question. Well, let me ask a few more questions.

Some sample equipment questions

What model Jeep Wrangler do you have? YJ, TJ, LJ, JK, JKU?

If you have a JK/JKU, is it a 2007-2011 or a 2012 through 2018?

You said you have 35″ tires, so I’m assuming you have a lift. What height lift do you have? 2.5″? 3.5″? 4″?

You didn’t mention whether you have a Rubicon or not, so I’m not certain what gearing you have. Do you have factory gears? 3.21? 3.73? 4.10? Have you upgraded your gearing? 4.56? 4.88? 5.13?

What type of tires are on your Jeep? What will the air pressure in each tire be while wheeling?

Do you have any skid plates, factory or otherwise?

Do you have proper equipment to handle a flat tire? Or a tire that pops off the rim? Are you using Beadlock wheels?

Some non-equipment questions

What time of year will you attempt the PSMT?

How many people & other vehicles will be in your party?

Are you an experienced driver?

Will you be sharing vehicles & taking turns negotiating/renegotiating obstacles?

Will you be stopping to take pictures of the scenery?

That’s a lot of questions, and a bit over the top, but they all can impact the amount of time to complete the trail. Different Jeeps have different capabilities. Even further, different modifications/upgrades to Jeeps are going to have an even bigger impact over a stock configuration.

Enabling or Disabling vSAN EncryptionBack to my original intent of the post… “How long does it take to enable/disable vSAN Encryption?” Again, a question that really requires more information.

As far as requirements go, any supported vSAN 6.6 configuration that has a vSAN Enterprise license and a compatible KMS implementation, can use vSAN Encryption. Not really a Trail rating of 6, but the minimum requirement.

Some sample equipment questions I would ask are:

What type of CPUs do the vSAN cluster hosts have? Are they a current (recently current) generation? Do they have AES-NI instruction offload capabilities? As with any CPUs, older processors are not going to be as efficient as similarly spec’d current generation processors. In many cases, older CPUs with a faster clock speed may still only be as “fast” as newer generation CPUs with a lower clock speed due to architecture enhancements. And consider that CPUs that don’t offload the AES-NI instruction set, will have to burn CPU cycles to handle the encryption process. It is STRENUOUSLY recommended to use CPUs with AES-NI offload capabilities. While the CPU may support it, it may have to be enabled.

What type of vSAN cluster is it, Hybrid or All Flash? Without going deep into the architecture of vSAN Hybrid vs All-Flash, suffice to say that All-Flash is faster and would likely perform the encryption process much faster. More can be read about Hybrid vs All-Flash on StorageHub.

How many disk groups are in each vSAN node? Why is this important? When only a single disk group is present, data is written to the disk group’s cache. All data will be moved through the cache device. When writing/moving data to a node, if multiple disk groups are present, more cache devices are available, and components are written to one or another disk group. One component could be written to the first disk group and another component could be written to another disk group. These actions are independent of each other.

How many vSAN nodes are in the cluster? When there are a larger number of nodes, the process of evacuating a node’s disk groups to perform the Disk Format Change (DFC), can more easily spread the evacuating data to other nodes. Smaller amounts of data can be placed on more nodes, than a large amount of data to a fewer amount of nodes. This can also impact the available storage policies that can be used.

What kind of devices are used for the vSAN Disk Group cache devices? What size are the cache devices? The size and performance characteristics can be contributing factors. Larger drives are better than smaller drives, and drives with better performance characteristics are obviously better than those that are have a lesser performance characteristic.

What kind of devices are used for vSAN Disk Group capacity devices? And how many in each disk group? A greater number of capacity devices allows for more locations for writes to destage to within a disk group. Reads are improved by a greater number of devices in a disk group as well.

What are the storage device types in use? NVMe is faster than SAS, SAS is faster than SATA just to mention a few things to consider. Additionally, NVMe devices do not need a storage controller.

What kind of controller is used? Is the controller a 6Gbps controller? 12Gbps? How many devices are attached to this controller? The greater the queue depth, the better. The greater the speed of the controller, the better. A node with two disk groups spread evenly on two separate controllers could likely be more efficient than those same two disk groups on a single controller with a SAS expander, dependent on the workload.

What is the backend vSAN network configuration? 1Gb? 10Gb? 100Gb? Number of uplinks? More throughput capability is obviously better than less throughput capability.

Some sample vSAN questions I would ask are:

What is the overall utilization of the vSAN Datastore? Is the datastore over the 80% high water mark? How much free capacity is available to move data to while the Disk Format Change (DFC) process is occurring? More free capacity is better, providing for space to move components from a node going through the DFC process.

What storage policy(ies) is/are in use for the vSAN objects? This could be tied in with the number of nodes question above. What if RAID5 is being used with only 4 nodes? To complete the process of enabling vSAN Encryption, the “Allow Reduced Redundancy” option would have to be used. Consider that in this case, the loss (or network partitioning of) another node would make data inaccessible. If capacity is available, it could be good to apply a Mirroring storage policy instead in this case, especially if data redundancy is a hard requirement.

Are fault domains being used? Consider that fault domains can also determine storage policy compatibility.

What is the typical data working size and IO pattern? Is the workload heavy write? Heavy read? While we’re performing a rolling upgrade, that we still have to provide I/O to the normal workload. What is the daily data change rate? If 33% of the data on the cluster changes daily, it will likely take longer than if only 5% of the data changes.

So what’s the answer?
The intention of this post really isn’t to answer the question, but rather to bring the factors to light that need to be considered.

“Aw, Jase, that doesn’t help me.” Well, I’m sorry. What I will say though, is that after going through the process you’ll get a better idea of what’s involved, where different things matter, and what to expect.

Having completed the Poison Spider Mesa Trail a few times, I can tell you that it takes about 3 hours to complete the trail.

At least that’s my experience with my #GeeksWithJeeps buddies driving 4 Jeeps (Rubicons with 4″ lifts, upgraded gearing, 35″ tires, and upgraded undercarriage protection), in average April temperatures, with only a few other Jeeps on the trail, and a few leisurely stops.

I can guess that attempting to do the same trail at the height of the Easter Jeep Safari, with hundreds of Jeeps around, and I’m speculating, that the same trail would take 8 or more hours.

My point is, many factors should be taken into account, and in the end, “it depends.”

vSphere 5.5 End of General Support

-248Days-14Hours-26Minutes-57Seconds

Disclaimer

Any views or opinions expressed here are strictly my own. While I am a blogger who works for VMware, I am solely responsible for all content published here. This is a personal blog, not a VMware blog. Content published here is not read, reviewed, or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware or any of its divisions, subsidiaries, or business partners.

Any of my code, configuration references, or suggestions, should be researched and verified in a lab environment before attempting in a production environment.

Agreement to use any of my code or recommendations, removes me from any liability as such.